HawkinsOperationsDetection Engineering SOC

Governed detection engineering

HawkinsOperations turns detection work into governed proof routes.Human review controls promotion.

AI accelerates the work. The system separates source, validation, evidence, and public claims so reviewers can follow the artifact trail without treating website rendering as proof.

See the artifact machine →Trace HO-DET-001 →Reviewer routes

Artifact machine

Eight stages. One direction. Source to public boundary.

The machine describes what the system does. Each stage produces a named receipt; the next stage requires it.

01SourceSOURCE_PRESENT→ validation02ValidationFIXTURE_PASSED→ case packet03Case PacketPACKET_ROUTED→ ai support04AI SupportAI_AS_LABOR→ verifier05VerifierSCANNER_CLEAN→ ci06CICI_ENFORCED→ proof card07Proof CardRECORD_PUBLISHED→ public boundary08Public BoundaryCEILING_HELDceilingARTIFACT MACHINE · 08 STAGESSOURCE → BOUNDARY
stage node stage code public boundary

Reviewer routes

Three reviewers. Three inspection paths.

The route changes how you read the system. It does not change the underlying proof state.

Hiring manager · 3 min

Executive scan

Confirm the public ceiling, the blocked claims, and the flagship HO-DET-001 proof route.

01Read the current02Open the HO-DET-00103Confirm the blocked
Proof ledger
Security engineer · 10 min

Proof review

Follow the proof record, validation route, and repository map without inferring runtime state.

srcvalproofrenderSOURCE → VALIDATION → PROOF · RENDER ≠ AUTHORITY
Proof repo
Research partner · deep

Technical inspection

Trace the separated surfaces and promotion gates before accepting any stronger wording.

INPUTSGATESSourceFixturesProofScannerCICeilingCHECK GATES BEFORE STRONGER WORDING
Truth surfaces

Flagship proof path

HO-DET-001 · the artifact you can inspect end to end.

Eight named receipts move a single detection from version-controlled source to the current public boundary.

HO-DET-001

Source to public boundary

ceiling · CONTROLLED_TEST_VALIDATED
01SOURCE_PRESENT02FIXTURE_VALIDATED03CASE_PACKET_ROUTED04AI_SUPPORT_ONLY05SCANNER_CLEAN06CI_ENFORCED07RECORD_PUBLISHED08CEILING_HELD
  1. 01SOURCE_PRESENTDetection rule and SPL exist in hawkinsoperations-detections under version control with a stated owner.Open ↗
  2. 02FIXTURE_VALIDATEDHO-DET-001 passes controlled positive and negative test cases in the validation repo.Open ↗
  3. 03CASE_PACKET_ROUTEDFindings, validation output, and reviewer wording assemble into the case file.Open →
  4. 04AI_SUPPORT_ONLYAI accelerates labor: drafting, scaffolding, reviewer prep. AI does not promote claims.Open →
  5. 05SCANNER_CLEANSite contract verifier and blocked-claim scanner pass before wording can ship.Open ↗
  6. 06CI_ENFORCEDCI fails the build when contract assertions or blocked-claim rules trip on a change.Open →
  7. 07RECORD_PUBLISHEDPublic proof record exists with a stated ceiling, evidence pointers, and bounded scope.Open ↗
  8. 08CEILING_HELDPublic claim ceiling holds at CONTROLLED_TEST_VALIDATED. Stronger wording requires a separate promotion gate.Open →

Truth surfaces

Six surfaces. Each one supports its own claims, nothing more.

Promotion is always upward and gated. The surfaces describe what each layer can prove and the receipt the next layer requires.

Source Truthsupports — A source artifact exists and can be reviewed.does not assert — Deployment, runtime behavior, signal observation, or public proof.
SOURCErequires next gate
Validation Truthsupports — A deterministic validation process passed inside its stated scope.does not assert — Runtime operation, public signal, or external-use authorization.
VALIDATIONrequires next gate
Runtime Truthsupports — A control or detection is active in a runtime environment.does not assert — Signal observation, evidence linkage, or public-safe proof.
RUNTIMErequires next gate
Signal Truthsupports — The detection produced a bounded signal in the observed context.does not assert — Fleet scope, production readiness, or public-safe status.
SIGNALrequires next gate
Evidence Truthsupports — A preserved evidence artifact supports a specific bounded claim.does not assert — Claims outside the evidence boundary.
EVIDENCErequires next gate
Public Proofsupports — A public-facing claim has passed the required promotion boundary.does not assert — Private runtime or signal claims not linked into public proof.
PUBLIC-PROOFrequires next gate

Repository authority

Six repositories. Three planes. Authority flows down only.

detections → validation → proof feeds the chain. .github and platform overlay it. website renders the receipts; it does not author them.

PLANE · GOV / RUNTIMEPLANE · AUTHORITY CHAINPLANE · RENDERINGfeedsfeedsrenders (read-only)01 · .githubgovernance / reviewer routingGOVERNANCE02 · platformruntime contracts / boundariesRUNTIME03 · detectionssource logicAUTHORITY04 · validationtests · fixtures · verifiersAUTHORITY05 · proofevidence boundary · ceilingAUTHORITY06 · websiterendering only · reviewer routingRENDERRENDER ≠ AUTHORITY
authority chain rendering governance / runtime overlay

Artifact registry preview

Seven families. Four evidence axes. What is supported and what is gated.

Filled cells are supported at the current ceiling. Hollow cells require a specific promotion gate before they can be claimed.

Artifact family
Source receipt
Validation receipt
Evidence receipt
Public rendering
Proof records
HO-DET-001, AWS-DET-001 — bounded proof cards at the current ceiling.
Detection factory
Detection-as-code rule, SPL, and ownership trail in the detections repo.
Validation / CI
Deterministic fixtures, contract assertions, blocked-claim scanner.
Proof system
Promotion gates, claim ceiling, evidence linkage records.
Repo governance
Plane separation between source, validation, platform, proof, and rendering.
Platform / runtime contracts
Runtime architecture and platform control patterns. Behind the next promotion gate.
·
Website rendering
Public routes, reviewer navigation. Renders the receipts; does not author them.
·
·
·
supports today requires next promotion gate· out of scope by design

Precision boundary

Claim firewall

Public wording passes through a deterministic scanner before it ships. Blocked terms stay visible — they describe what this surface does not assert.

WORDINGSCANNERCEILINGBLOCKEDCLAIM · CI/CDDETERMINISTIC GATE
runtime-activesignal-observedpublic-safe runtime proofproduction-readyfleet-widelive Splunk firedSplunk-proven Runtime Signal 001Cribl-routedWazuh-routedAWS-liveautonomous SOCAI-approved dispositionanalyst-approved dispositionpublic-safe

Website rendering

Website renders the map. Proof lives in the repos.

Open the proof ledger →

Release path · governed

Proof Pack 001 · release path implemented.

Source / check-mode release path is merged on the proof repo. No official release, tag, or signed artifact is claimed from this surface.

CONTROLLED_TEST_VALIDATED
Detection
HO-DET-001
Pack status
RELEASE_PATH_IMPLEMENTED
Source mode
CHECK_MODE_SOURCE_ONLY
Next gate
OFFICIAL_RELEASE_PENDING_APPROVAL
Public-safe state
NOT_PUBLIC_SAFE
Authority
Proof repo holds the receipt; website routes only.

Prior operating context · HawkinsOps V1 / SignalFoundry

Recorded for context, not as current HawkinsOperations proof. Current claims are bounded by source, validation, evidence, and the public-proof surface.

  • 324,074cases processed
  • 200+detections built
  • 208/208CI assertions
  • 39.7%reduction measured
  • 100%high-severity preservation

Doctrine

AI is labor. Governance is authority.

Build loud. Verify hard. Claim tight. Ship receipts. The system separates the work AI can accelerate from the gates that decide what HawkinsOperations is allowed to claim publicly.

Operator profile →Proof ledger